Anti CSRF and Cors config

Author: VINADES.,JSC

admin/seotools/sitemapPing.php

@@ -61,7 +61,7 @@ function nv_sitemapPing($module, $link)
     }
 
     if (! $result and nv_function_exists('fsockopen')) {
-        $url_parts = @parse_url($link);
+        $url_parts = parse_url($link);
         if (! $url_parts) {
             return $lang_module['searchEngineFailed'];
         }

admin/settings/admin.menu.php

@@ -8,7 +8,7 @@
  * @Createdate 07/30/2013 10:27
  */
 
-if (! defined('NV_ADMIN')) {
+if (!defined('NV_ADMIN')) {
     die('Stop!!!');
 }
 

admin/settings/security.php

@@ -44,9 +44,7 @@
     $selectedtab = 0;
 }
 
-$array_config_global = [];
-$array_config_define = [];
-$array_config_site = [];
+$array_config_global = $array_config_define = $array_config_cross = [];
 
 $checkss = md5(NV_CHECK_SESSION . '_' . $module_name . '_' . $op . '_' . $admin_info['userid']);
 // Xử lý các thiết lập cơ bản
@@ -56,8 +54,8 @@
         $array_config_global['proxy_blocker'] = $proxy_blocker;
     }
 
-    $array_config_global['str_referer_blocker'] = (int)$nv_Request->get_bool('str_referer_blocker', 'post');
-    $array_config_global['is_login_blocker'] = (int)$nv_Request->get_bool('is_login_blocker', 'post', false);
+    $array_config_global['str_referer_blocker'] = (int) $nv_Request->get_bool('str_referer_blocker', 'post');
+    $array_config_global['is_login_blocker'] = (int) $nv_Request->get_bool('is_login_blocker', 'post', false);
     $array_config_global['login_number_tracking'] = $nv_Request->get_int('login_number_tracking', 'post', 0);
     $array_config_global['login_time_tracking'] = $nv_Request->get_int('login_time_tracking', 'post', 0);
     $array_config_global['login_time_ban'] = $nv_Request->get_int('login_time_ban', 'post', 0);
@@ -223,43 +221,72 @@
 
 $lang_module['two_step_verification_note'] = sprintf($lang_module['two_step_verification_note'], $lang_module['two_step_verification0'], NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=users&' . NV_OP_VARIABLE . '=groups');
 
-// Xử lý thiết lập CORS
+// Xử lý thiết lập CORS, Anti CSRF
 if ($nv_Request->isset_request('submitcors', 'post') and $checkss == $nv_Request->get_string('checkss', 'post')) {
-    $array_config_site['cors_restrict_domains'] = (int)$nv_Request->get_bool('cors_restrict_domains', 'post', false);
-    $cors_valid_domains = $nv_Request->get_textarea('cors_valid_domains', '', NV_ALLOWED_HTML_TAGS, true);
-    $cors_valid_domains = explode('<br />', strip_tags($cors_valid_domains, '<br>'));
-
-    $array_config_site['cors_valid_domains'] = [];
-    foreach ($cors_valid_domains as $domain) {
-        if (!empty($domain)) {
-            $domain = parse_url($domain);
-            if (is_array($domain)) {
-                if (sizeof($domain) == 1 and !empty($domain['path'])) {
-                    $domain['host'] = $domain['path'];
+    $array_config_cross['crosssite_restrict'] = (int) $nv_Request->get_bool('crosssite_restrict', 'post', false);
+    $array_config_cross['crossadmin_restrict'] = (int) $nv_Request->get_bool('crossadmin_restrict', 'post', false);
+
+    // Lấy các request domain
+    $cfg_keys = ['crosssite_valid_domains', 'crossadmin_valid_domains'];
+    foreach ($cfg_keys as $cfg_key) {
+        $domains = $nv_Request->get_textarea($cfg_key, '', NV_ALLOWED_HTML_TAGS, true);
+        $domains = explode('<br />', strip_tags($domains, '<br>'));
+
+        $array_config_cross[$cfg_key] = [];
+        foreach ($domains as $domain) {
+            if (!empty($domain)) {
+                $domain = parse_url($domain);
+                if (is_array($domain)) {
+                    if (sizeof($domain) == 1 and !empty($domain['path'])) {
+                        $domain['host'] = $domain['path'];
+                    }
+                    if (!isset($domain['scheme'])) {
+                        $domain['scheme'] = 'http';
+                    }
+                    $domain_name = nv_check_domain($domain['host']);
+                    if (!empty($domain_name)) {
+                        $domain = $domain['scheme'] . '://' . $domain_name . ((isset($domain['port']) and $domain['port'] != '80') ? (':' . $domain['port']) : '');
+                        $array_config_cross[$cfg_key][] = $domain;
+                    }
                 }
-                if (!isset($domain['scheme'])) {
-                    $domain['scheme'] = 'http';
-                }
-                $array_config_site['cors_valid_domains'][] = $domain['scheme'] . '://' . $domain['host'] . ((isset($domain['port']) and $domain['port'] != '80') ? (':' . $domain['port']) : '');
             }
         }
+        $array_config_cross[$cfg_key] = empty($array_config_cross[$cfg_key]) ? '' : json_encode(array_unique($array_config_cross[$cfg_key]));
     }
-    $array_config_site['cors_valid_domains'] = empty($array_config_site['cors_valid_domains']) ? '' : json_encode($array_config_site['cors_valid_domains']);
 
-    $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value = :config_value WHERE lang = 'sys' AND module = 'site' AND config_name = :config_name");
-    foreach ($array_config_site as $config_name => $config_value) {
+    // Lấy các request IPs
+    $cfg_keys = ['crosssite_valid_ips', 'crossadmin_valid_ips'];
+    foreach ($cfg_keys as $cfg_key) {
+        $str_ips = $nv_Request->get_textarea($cfg_key, '', NV_ALLOWED_HTML_TAGS, true);
+        $str_ips = explode('<br />', strip_tags($str_ips, '<br>'));
+
+        $array_config_cross[$cfg_key] = [];
+        foreach ($str_ips as $str_ip) {
+            if ($ips->isIp4($str_ip) or $ips->isIp6($str_ip)) {
+                $array_config_cross[$cfg_key][] = $str_ip;
+            }
+        }
+        $array_config_cross[$cfg_key] = empty($array_config_cross[$cfg_key]) ? '' : json_encode(array_unique($array_config_cross[$cfg_key]));
+    }
+
+    $sth = $db->prepare("UPDATE " . NV_CONFIG_GLOBALTABLE . " SET config_value=:config_value WHERE lang='sys' AND module='global' AND config_name=:config_name");
+    foreach ($array_config_cross as $config_name => $config_value) {
         $sth->bindParam(':config_name', $config_name, PDO::PARAM_STR, 30);
         $sth->bindParam(':config_value', $config_value, PDO::PARAM_STR);
         $sth->execute();
     }
 
-    nv_insert_logs(NV_LANG_DATA, $module_name, 'LOG_CHANGE_CORS_SETTING', $global_config['cors_restrict_domains'] . ': ' . $array_config_site['cors_valid_domains'], $admin_info['userid']);
-    $nv_Cache->delMod($module_name);
+    nv_insert_logs(NV_LANG_DATA, $module_name, 'LOG_CHANGE_CORS_SETTING', json_encode($array_config_cross), $admin_info['userid']);
+    nv_save_file_config_global();
 
     nv_redirect_location(NV_BASE_ADMINURL . 'index.php?' . NV_LANG_VARIABLE . '=' . NV_LANG_DATA . '&' . NV_NAME_VARIABLE . '=' . $module_name . '&' . NV_OP_VARIABLE . '=' . $op . '&selectedtab=' . $selectedtab . '&rand=' . nv_genpass());
 } else {
-    $array_config_site['cors_restrict_domains'] = $global_config['cors_restrict_domains'];
-    $array_config_site['cors_valid_domains'] = empty($global_config['cors_valid_domains']) ? '' : implode("\n", $global_config['cors_valid_domains']);
+    $array_config_cross['crosssite_restrict'] = $global_config['crosssite_restrict'];
+    $array_config_cross['crosssite_valid_domains'] = empty($global_config['crosssite_valid_domains']) ? '' : implode("\n", $global_config['crosssite_valid_domains']);
+    $array_config_cross['crosssite_valid_ips'] = empty($global_config['crosssite_valid_ips']) ? '' : implode("\n", $global_config['crosssite_valid_ips']);
+    $array_config_cross['crossadmin_restrict'] = $global_config['crossadmin_restrict'];
+    $array_config_cross['crossadmin_valid_domains'] = empty($global_config['crossadmin_valid_domains']) ? '' : implode("\n", $global_config['crossadmin_valid_domains']);
+    $array_config_cross['crossadmin_valid_ips'] = empty($global_config['crossadmin_valid_ips']) ? '' : implode("\n", $global_config['crossadmin_valid_ips']);
 }
 
 $xtpl = new XTemplate($op . '.tpl', NV_ROOTDIR . '/themes/' . $global_config['module_theme'] . '/modules/' . $module_file);
@@ -509,9 +536,10 @@
     $xtpl->parse('main.error_save');
 }
 
-$array_config_site['cors_restrict_domains'] = empty($array_config_site['cors_restrict_domains']) ? '' : ' checked="checked"';
+$array_config_cross['crosssite_restrict'] = empty($array_config_cross['crosssite_restrict']) ? '' : ' checked="checked"';
+$array_config_cross['crossadmin_restrict'] = empty($array_config_cross['crossadmin_restrict']) ? '' : ' checked="checked"';
 
-$xtpl->assign('CONFIG_SITE', $array_config_site);
+$xtpl->assign('CONFIG_CROSS', $array_config_cross);
 
 $xtpl->assign('IS_FLOOD_BLOCKER', ($array_config_flood['is_flood_blocker']) ? ' checked="checked"' : '');
 $xtpl->assign('MAX_REQUESTS_60', $array_config_flood['max_requests_60']);

includes/core/admin_functions.php

@@ -100,9 +100,9 @@ function nv_save_file_config_global()
 
     $content_config = "<?php" . "\n\n";
     $content_config .= NV_FILEHEAD . "\n\n";
-    $content_config .= "if (!defined('NV_MAINFILE'))\n    die('Stop!!!');\n\n";
+    $content_config .= "if (!defined('NV_MAINFILE')) {\n    die('Stop!!!');\n}\n\n";
 
-    $config_variable = array();
+    $config_variable = [];
     $allowed_html_tags = '';
     $sql = "SELECT module, config_name, config_value FROM " . NV_CONFIG_GLOBALTABLE . " WHERE lang='sys' AND (module='global' OR module='define') ORDER BY config_name ASC";
     $result = $db->query($sql);
@@ -145,6 +145,7 @@ function nv_save_file_config_global()
     $config_variable['error_send_email'] = $config_variable['error_send_email'];
 
     $config_name_array = ['file_allowed_ext', 'forbid_extensions', 'forbid_mimes', 'allow_sitelangs', 'allow_request_mods', 'config_sso'];
+    $config_name_json = ['crosssite_valid_domains', 'crosssite_valid_ips', 'crossadmin_valid_domains', 'crossadmin_valid_ips'];
 
     foreach ($config_variable as $c_config_name => $c_config_value) {
         if (in_array($c_config_name, $config_name_array)) {
@@ -153,7 +154,15 @@ function nv_save_file_config_global()
             } else {
                 $c_config_value = '';
             }
-            $content_config .= "\$global_config['" . $c_config_name . "']=array(" . $c_config_value . ");\n";
+            $content_config .= "\$global_config['" . $c_config_name . "']=[" . $c_config_value . "];\n";
+        } elseif (in_array($c_config_name, $config_name_json)) {
+            $c_config_value = empty($c_config_value) ? [] : ((array) json_decode($c_config_value, true));
+            if (empty($c_config_value)) {
+                $c_config_value = '';
+            } else {
+                $c_config_value = "'" . implode("','", array_map('trim', $c_config_value)) . "'";
+            }
+            $content_config .= "\$global_config['" . $c_config_name . "']=[" . $c_config_value . "];\n";
         } else {
             if (preg_match('/^(0|[1-9][0-9]*)$/', $c_config_value) and $c_config_name != 'facebook_client_id') {
                 $content_config .= "\$global_config['" . $c_config_name . "']=" . $c_config_value . ";\n";
@@ -175,15 +184,15 @@ function nv_save_file_config_global()
     while ($row = $result->fetch()) {
         $c_config_value[] = $row['lang'];
     }
-    $content_config .= "\$global_config['setup_langs']=array('" . implode("','", $c_config_value) . "');\n";
+    $content_config .= "\$global_config['setup_langs']=['" . implode("','", $c_config_value) . "'];\n";
 
     //allowed_html_tags
     if (!empty($allowed_html_tags)) {
         $allowed_html_tags = "'" . implode("','", array_map('trim', explode(',', $allowed_html_tags))) . "'";
     } else {
         $allowed_html_tags = '';
     }
-    $content_config .= "\$global_config['allowed_html_tags']=array(" . $allowed_html_tags . ");\n";
+    $content_config .= "\$global_config['allowed_html_tags']=[" . $allowed_html_tags . "];\n";
 
     //Xac dinh cac search_engine
     $engine_allowed = (file_exists(NV_ROOTDIR . '/' . NV_DATADIR . '/search_engine.xml')) ? nv_object2array(simplexml_load_file(NV_ROOTDIR . '/' . NV_DATADIR . '/search_engine.xml')) : array();
@@ -218,7 +227,7 @@ function nv_save_file_config_global()
     }
     $content_config .= "\$nv_plugin_area=" . nv_var_export($nv_plugin_area) . ";\n\n";
 
-    $return = file_put_contents(NV_ROOTDIR . "/" . NV_DATADIR . "/config_global.php", trim($content_config), LOCK_EX);
+    $return = file_put_contents(NV_ROOTDIR . "/" . NV_DATADIR . "/config_global.php", trim($content_config) . "\n", LOCK_EX);
     $nv_Cache->delAll();
 
     //Resets the contents of the opcode cache

includes/core/rpc.php

@@ -22,7 +22,7 @@ function nv_getRPC($url, $data)
     $rand = array_rand($userAgents);
     $agent = $userAgents[$rand];
 
-    $url_info = @parse_url($url);
+    $url_info = parse_url($url);
     $url_info['port'] = isset($url_info['port']) ? intval($url_info['port']) : 80;
     if (isset($url_info['path'])) {
         if (substr($url_info['path'], 0, 1) != '/') {

includes/functions.php

@@ -1766,7 +1766,7 @@ function nv_is_url($url)
 
     $url = nv_strtolower($url);
 
-    if (!($parts = @parse_url($url))) {
+    if (!($parts = parse_url($url))) {
         return false;
     }
 
@@ -1813,7 +1813,7 @@ function nv_check_url($url, $is_200 = 0)
     if (nv_function_exists('get_headers') and $allow_url_fopen == 1) {
         $res = get_headers($url);
     } elseif (nv_function_exists('curl_init') and nv_function_exists('curl_exec')) {
-        $url_info = @parse_url($url);
+        $url_info = parse_url($url);
         $port = isset($url_info['port']) ? intval($url_info['port']) : 80;
 
         $userAgents = array(

includes/language/en/admin_settings.php

@@ -274,11 +274,17 @@
 $lang_module['cron_interval_type'] = 'Repeat type (if available)';
 $lang_module['cron_interval_type0'] = 'After the launch time in the database';
 $lang_module['cron_interval_type1'] = 'After the actual launch time';
-$lang_module['cors'] = 'CORS Setting';
-$lang_module['cors_help'] = 'Enable this feature to restrict CORS request from other domains to the website';
-$lang_module['cors_restrict_domains'] = 'Domain limit';
-$lang_module['cors_valid_domains'] = 'Valid domains';
-$lang_module['cors_valid_domains_help'] = 'Enter each one-line domain name (please enter the full form http://yourdomain.com). CORS request from these domains are allowed';
+$lang_module['cors'] = 'Cross-Site config';
+$lang_module['cors_site_restrict'] = 'Protect the user area';
+$lang_module['cors_site_restrict_help'] = 'Enable this option to block all external post request to the user area';
+$lang_module['cors_site_valid_domains'] = 'Valid domain for the user area';
+$lang_module['cors_site_valid_ips'] = 'Valid IP for the user area';
+$lang_module['cors_admin_restrict'] = 'Protect the admin area';
+$lang_module['cors_admin_restrict_help'] = 'Enable this option to block all external post request to the admin area';
+$lang_module['cors_admin_valid_domains'] = 'Valid domain for the admin area';
+$lang_module['cors_admin_valid_ips'] = 'Valid IP for the admin area';
+$lang_module['cors_valid_domains_help'] = 'Enter one domain per line (please enter the full form http://yourdomain.com), post request from these domains are allowed';
+$lang_module['cors_valid_ips_help'] = 'Enter one IP per line, post request from these IPs are allowed';
 $lang_module['admin_2step_opt'] = 'Two-step verification methods are allowed in administration';
 $lang_module['admin_2step_default'] = 'The default two-step verification method in administration';
 $lang_module['admin_2step_appconfig'] = 'Set up the application here';

includes/language/fr/admin_settings.php

@@ -274,11 +274,17 @@
 $lang_module['cron_interval_type'] = 'Répéter le type (si disponible)';
 $lang_module['cron_interval_type0'] = 'Après l\'heure de lancement dans la base de données';
 $lang_module['cron_interval_type1'] = 'Après l\'heure de lancement réelle';
-$lang_module['cors'] = 'CORS Setting';
-$lang_module['cors_help'] = 'Activer cette fonctionnalité pour limiter la demande CORS des autres domaines au site Web';
-$lang_module['cors_restrict_domains'] = 'Limite de domaine';
-$lang_module['cors_valid_domains'] = 'Domaines valides';
-$lang_module['cors_valid_domains_help'] = 'Entrez chaque nom de domaine en une ligne (veuillez saisir le formulaire complet http://votredomaine.com). Les demandes CORS de ces domaines sont autorisées';
+$lang_module['cors'] = 'Cross-Site config';
+$lang_module['cors_site_restrict'] = 'Protégez l\'espace utilisateur';
+$lang_module['cors_site_restrict_help'] = 'Activez cette option pour bloquer toutes les demandes de publication externes dans la zone utilisateur';
+$lang_module['cors_site_valid_domains'] = 'Domaine valide pour la zone utilisateur';
+$lang_module['cors_site_valid_ips'] = 'IP valide pour la zone utilisateur';
+$lang_module['cors_admin_restrict'] = 'Protéger la zone d\'administration';
+$lang_module['cors_admin_restrict_help'] = 'Activez cette option pour bloquer toutes les demandes de publication externes dans la zone d\'administration';
+$lang_module['cors_admin_valid_domains'] = 'Domaine valide pour la zone d\'administration';
+$lang_module['cors_admin_valid_ips'] = 'IP valide pour la zone d\'administration';
+$lang_module['cors_valid_domains_help'] = 'Entrez un domaine par ligne (veuillez entrer le formulaire complet http://votredomaine.com), les demandes de publication de ces domaines sont autorisées';
+$lang_module['cors_valid_ips_help'] = 'Entrez une adresse IP par ligne, la demande de publication de ces adresses IP est autorisée';
 $lang_module['admin_2step_opt'] = 'Les méthodes de vérification en deux étapes sont autorisées dans l\'administration';
 $lang_module['admin_2step_default'] = 'La méthode de vérification en deux étapes par défaut dans l\'administration';
 $lang_module['admin_2step_appconfig'] = 'Configurez l\'application ici';

includes/language/vi/admin_settings.php

@@ -291,8 +291,14 @@
 $lang_module['noflood_ip_edit'] = 'Sửa IP bỏ qua kiểm tra flood';
 $lang_module['noflood_ip_list'] = 'Các IP bỏ qua kiểm tra flood';
 
-$lang_module['cors'] = 'Thiết lập CORS';
-$lang_module['cors_help'] = 'Bật tính năng này để hạn chế các truy vấn CORS từ các tên miền khác đến website';
-$lang_module['cors_restrict_domains'] = 'Giới hạn tên miền';
-$lang_module['cors_valid_domains'] = 'Tên miền hợp lệ';
-$lang_module['cors_valid_domains_help'] = 'Nhập mỗi tên miền một dòng (vui lòng nhập đầy đủ dạng http://yourdomain.com). Các truy vấn CORS từ các tên miền này được phép thực hiện';
+$lang_module['cors'] = 'Thiết lập Cross-Site';
+$lang_module['cors_site_restrict'] = 'Bảo vệ ngoài site';
+$lang_module['cors_site_restrict_help'] = 'Kích hoạt chức năng này để chặn toàn bộ truy vấn từ bên ngoài vào khu vực ngoài site';
+$lang_module['cors_site_valid_domains'] = 'Tên miền hợp lệ ngoài site';
+$lang_module['cors_site_valid_ips'] = 'IP hợp lệ ngoài site';
+$lang_module['cors_admin_restrict'] = 'Bảo vệ khu vực quản trị';
+$lang_module['cors_admin_restrict_help'] = 'Kích hoạt chức năng này để chặn toàn bộ truy vấn từ bên ngoài vào khu vực quản trị';
+$lang_module['cors_admin_valid_domains'] = 'Tên miền hợp lệ trong quản trị';
+$lang_module['cors_admin_valid_ips'] = 'IP hợp lệ trong quản trị';
+$lang_module['cors_valid_domains_help'] = 'Nhập mỗi tên miền một dòng (vui lòng nhập đầy đủ dạng http://yourdomain.com), truy vấn từ các tên miền này được phép thực hiện';
+$lang_module['cors_valid_ips_help'] = 'Nhập mỗi IP một dòng, truy vấn từ các IP này được phép thực hiện';

includes/mainfile.php

@@ -352,14 +352,6 @@
 }
 define('UPLOAD_CHECKING_MODE', $global_config['upload_checking_mode']);
 
-// CORS handler
-if (!empty($global_config['cors_valid_domains'])) {
-    $global_config['cors_valid_domains'] = json_decode($global_config['cors_valid_domains'], true);
-} else {
-    $global_config['cors_valid_domains'] = [];
-}
-$nv_Request->CORSHandle($global_config);
-
 if (defined('NV_ADMIN')) {
     if (!file_exists(NV_ROOTDIR . '/includes/language/' . NV_LANG_DATA . '/global.php')) {
         if ($global_config['lang_multi']) {